A document retention policy is a written set of rules stating how long your organization keeps each type of document and when to securely dispose of it. It replaces “let’s keep everything forever, just in case” with a schedule that everyone can follow.
Most organizations need a document retention policy for two reasons:
- Some records are legally required to be kept for a set number of years.
- Where it’s not a legal requirements, storing old documents indefinitely quietly piles up cost, clutter and data over time.
In this article, I’ll explain why your company or organization should have a document retention policy, and what it should contain. After that, I’ll provide a sample retention schedule for you to adapt. Finally, I’ll share a note on how retention sits alongside any duty to publish documents, and how archiving and expiry work once your files are live.
Why Every Organization Needs a Retention Policy
A retention policy answers one question for every document you hold: how long do we keep this, and what happens when that time is up? Without an agreed answer, the default is to keep everything, which quietly becomes a problem.
These are the three key benefits of having an effective retention policy for documents:
- Compliance. Tax authorities, regulators and funders set minimum retention periods for certain records. The US Internal Revenue Service, for example, sets out how long to keep records based on the period of limitations for each return. Miss the minimum and you can fail an audit or a grant review.
- Risk. A document you no longer need is a document that can still be requested, leaked or subpoenaed. Keeping personal data longer than you have a reason to also runs against most data-protection rules.
- Findability. When old drafts and superseded versions never get cleared out, the records people need get buried. A schedule keeps the live set lean.
A written policy also takes the decision off any one person. Nobody has to judge in the moment whether a five-year-old file is safe to delete, because the schedule already says so. That consistency is what auditors and boards look for, and also helps to protect the people managing the documents.
What a Document Retention Policy Should Cover
A good retention policy is short and practical. It needs to tell a reader what each type of record is, how long to keep it, and who is responsible. This includes five main elements:
- Scope. State which records the policy applies to, in every format. Paper, email, scanned files and documents in your systems should all be covered, so nothing falls through a gap.
- Record categories. Group your documents into types that share a retention period, such as financial records, board minutes, contracts and HR files. You set rules per category, not per file.
- Retention periods. Give each category a clear period, expressed as a number of years or as “permanent”. Where a legal minimum applies, cite it so the figure isn’t a guess.
- Disposal method. Say what happens at the end of the period. Some records are shredded or permanently deleted, others are moved to a long-term archive rather than destroyed.
- Ownership and review. Name who is responsible for applying the schedule, and set a date to review the policy, usually once a year or when the law changes.
Keep the language plain enough that a new staff member or volunteer could apply it without asking. Bear in mind that a retention policy that only its author understands won’t survive that author leaving. You want the policy to be actively used throughout your organization for years, long after you’ve moved on.
A Sample Document Retention Schedule
The retention schedule is at the heart of the policy. The following table lists each category and its period - use it as a starting point for creating your own. The periods shown are common practice rather than universal law, so treat them as a draft to check against the rules for your own country, state and sector. Always check the requirements for your own country, state and sector.
| Document type | Typical retention period | Notes |
|---|---|---|
| Governing documents (articles, bylaws and registrations) | Permanent | The core records that define the organization. |
| Board and committee minutes | Permanent | Evidence of decisions, rarely safe to delete. |
| Annual reports and audited accounts | Permanent | Often published as well as retained. |
| Tax returns and supporting records | 7 years | The IRS minimum is usually 3 years, but many keep 7 to be safe. |
| Employment and payroll records | 4 to 7 years | The IRS asks for at least 4 years of employment tax records. |
| Contracts and agreements | 6 to 7 years after they end | Counted from expiry, not the signing date. |
| Grant and funder documentation | Per grant terms | Funders often require 3 to 7 years after the grant closes. |
| Insurance policies | Permanent or until all claims close | Old policies can matter for late claims. |
| Routine correspondence and drafts | 1 to 2 years | Low-value records that don’t need to pile up. |
Notice that the periods run from a clear event, such as the end of a contract or the close of a grant - not from the day the file was created. Write that trigger into the schedule so there’s no ambiguity about when the clock starts. This can get confusing otherwise and lead to misunderstandings and mistakes.
I also recommend building a particular habit which makes the schedule easier to apply - build the retention period into the way you name and version your files. If you already follow a document version control system, the date and version in each filename tell you at a glance how old a record is and whether it’s the current one. That way, you can easily see what’s needed and what can be removed.
Retention vs Public Disclosure Obligations
Retention is about how long you keep a document or record. Disclosure is about who is allowed to see it, and sometimes whether you’re required to publish it. The two duties overlap, and I recommend keeping them clearly separate in your policy.
Plenty of organizations have a legal duty to make certain documents available, not just to retain them. For example, local councils and government bodies publish agendas, minutes and financial records for transparency. Nonprofits publish annual reports and policies for members and funders. Homeowners associations have to make governing documents and records available to their members, with the rules set state by state.
For those records, your policy has to handle two timelines at once: The document needs to stay published and easy to find for as long as people are entitled to see it. It also follows the retention rule that decides when it’s eventually archived or removed.
Archiving and Expiring Documents in Practice
A policy only works if you put it into practice. This means actually disposing of the document at the time specified by the retention policy.
The common failure is that records reach the end of their retention period and simply stay where they are, because removing them is a manual job that nobody owns. Building automatic expiry into where the documents live fixes that.
This if particularly important for the documents you publish on your website. We built Document Library Pro to present your files as a searchable library on your own site. Visitors can search by keyword, filter by category, sort the columns and preview a file in the browser before downloading it.
It works either as a WordPress plugin or embedded into Shopify, Squarespace, Wix, Webflow, a custom site or intranet with a short embed code.
For a retention policy specifically, the useful part is automatic expiry. You can set documents to disappear from view on a date, which turns the disposal column of your schedule into something the system enforces rather than a reminder somebody has to remember. This won’t actually delete the document behind the scenes - you still need a process for that. However, it crucially removes documents from public view at the appropriate time.
You can also display the date each document was last updated, so readers see at a glance how current a published record is.
In our own analysis of 500 sites that use Document Library Pro, the libraries are run mostly by larger organizations: nonprofits and charities, health bodies, councils and parish councils, and membership associations. Those are exactly the groups that face retention rules and publishing duties, so they tend to keep long-lived documents that have to be both current and disposed of on schedule.
Just bear in mind that the published library only enforces the part of the policy that the public or your members can see. The internal records that your retention policy also covers, such as payroll files or signed contracts, live in your finance and HR systems, and your schedule needs to reach those too. Both are important.
Frequently Asked Questions About Document Retention Policies
What Is a Document Retention Policy?
A document retention policy is a written set of rules that states how long an organization keeps each type of record and how it disposes of them afterwards. It usually includes a retention schedule that lists every record category alongside its retention period.
How Long Should You Keep Business Documents?
It depends on the record. Governing documents, board minutes and annual accounts are usually kept permanently, while tax and employment records are commonly kept for around 4 to 7 years. Always check the legal minimum for your country, state and sector, because the period is set by the type of record.
What Should a Retention Policy Include?
A retention policy should set out its scope and the categories of records it covers. For each category, give a retention period and a disposal method, then name who is responsible for applying and reviewing the policy. Keep it plain enough that any staff member or volunteer can follow it.
Is a Document Retention Policy a Legal Requirement?
The policy itself is not always mandatory, but the retention periods inside it often are. Tax authorities, regulators and funders set minimum periods for specific records, so a written policy is the practical way to prove you meet them. Many sectors and grant agreements also expect one.
How Often Should You Review a Retention Policy?
Review it at least once a year, and whenever the law, a funder’s terms or your own record-keeping changes. A yearly review keeps the schedule aligned with current rules and catches any new record categories you’ve started to hold.
Put Your Retention Policy Into Practice
A retention policy comes down to one schedule that everyone follows: what you keep, for how long, and what happens at the end. Get that written down and the awkward “can we delete this?” question stops landing on whoever happens to be looking at the file.
Here’s how to put one in place:
- Group your records into categories that share a retention period.
- Set a period for each one, citing the legal minimum where there is a record.
- Decide the disposal method for each category, whether that’s deletion or a long-term archive.
- Note which categories you’re also required to publish, and keep those available for as long as the duty lasts.
- Name an owner and a yearly review date, so the schedule stays current.
For the documents you publish, putting them in a searchable document library lets you enforce the schedule automatically, with each record set to expire on a date and a last-updated date on display. You can try Document Library Pro free for 14 days and keep your published records current, accessible and disposed of on time, on the website you already have.
